SolarWinds hackers have a clever way to bypass multi factor authentication
- Thread starter JournalBot
- Start date
Novel indeed.
These cookies are used for "Trust This Device"-type settings right, given that they had to present the username and password? If the user/organisation required a new MFA confirmation for every login would that "overcome" this particular problem?
I mean, Dark Halo still gained admin access to the network, so there's a few other problems there.
Also, I despise the Outlook Web App.
These cookies are used for "Trust This Device"-type settings right, given that they had to present the username and password? If the user/organisation required a new MFA confirmation for every login would that "overcome" this particular problem?
I mean, Dark Halo still gained admin access to the network, so there's a few other problems there.
Also, I despise the Outlook Web App.
Upvote
110
(114
/
-4)
Upvote
123
(123
/
0)
I'm behind on the news today, so maybe it's been confirmed, but I thought they were looking at MS vulnerabilities as a possible means used to move around the network from the originally infected system.
[EDIT]
Also, skimming the fine article again, I'm not sure the breach discussed is directly related to the SolarWinds breach; just the same attackers, providing context for their sophistication.
Upvote
34
(35
/
-1)
Upvote
197
(200
/
-3)
I’m a bit confused by the writing: is this saying that Dark Halo, APT29, and Cozy Bear are all the same?
Also: I’m not managing to work out message flows for the 2FA thwart. Probably because I don’t sufficiently understand how Duo works, but the article assumes I do.
Also: I’m not managing to work out message flows for the 2FA thwart. Probably because I don’t sufficiently understand how Duo works, but the article assumes I do.
Upvote
96
(97
/
-1)
The best passwords are easy for humans to remember and hard for machines to brute-force. Phrases of randomly selected words tend to be ideal.
To be strong, a password needs to include genuine randomness. If your password isn't random, it's probably weak and vulnerable. Attackers have libraries of millions of leaked passwords that they mine to for patterns, so whatever strategy you can think of for mentally generating a password, it's probably in the dataset. It's much safer to generate true random entropy, then pick a good encoding scheme to make that entropy memorable. Humans suck at generating entropy, so use a machine, or if you are paranoid, some dice.
The strength of pass-phrases is that random words are easier to remember than random characters. They tend to be faster to type as well.
For example, something like "inert purple dog flowers" or "social squash Augustus honey" is trivially easy to remember (your brain encodes it as speech), and quick to type, but is non-trivial to brute-force, roughly as challenging as a random 13-letter password like "gybtlbwvscimu" or a random 10-character password like "Uy^Y$*9qqQ".
With a decent passphrase generator (eg https://untroubled.org/pwgen/ppgen.cgi? ... Passphrase) that makes random selections from a dictionary, each word is worth about 15 bits, versus 4.7 bits for randomly selected letters, or 6.2 bits for randomly selected letters with capitalization, numbers, and symbols. You gain another 1 to 2 bits from your choice of delimiter: space, period, dash, nothing, etc. Most people find one word easier than three letters. Numbers and symbols are even less efficient. The worst is RaNdomIzEd cApitaLizAtiOn, which is laughably brutal on the human brain, roughly equivalent to memorizing binary. Words are the most efficient.
I prefer not to trust the passphrase generation tool. I typically mine the randomly generated passphrases for word combos that are memorable and easy to type, refreshing at least a dozen times, then I mix and match so that my passphrase isn't one of the strings generated by the site. Being imperfectly random only costs me a few bits of entropy, and in a pattern that's difficult for an attacker to codify. More importantly, it adds enough "client-side entropy" to mitigate the most realistic attack vectors involving the passphrase generation tool. A dump of all phrases ever generated isn't enough to attack me; they'd need the exact set of words I was presented on my 15 refreshes, correlated to the system I was securing, plus some brute-force effort. The tool I linked generates passwords on the server, which isn't ideal from a trust perspective, but even with a perfect tool, as long as it's web based, I'd rather not depend on trusting that the Javascript does exactly what I think it does. I'm not going to open the debugger every time I use it, and I'm too lazy to write my own tool.
Also, best to use a password manager so that you only need one or two actual passphrases.
[Edit: my first version of this post was a bit informal and folks thought I didn't know about dictionary attacks; I updated it to be clearer and to emphasize the importance of using actual randomness]
To be strong, a password needs to include genuine randomness. If your password isn't random, it's probably weak and vulnerable. Attackers have libraries of millions of leaked passwords that they mine to for patterns, so whatever strategy you can think of for mentally generating a password, it's probably in the dataset. It's much safer to generate true random entropy, then pick a good encoding scheme to make that entropy memorable. Humans suck at generating entropy, so use a machine, or if you are paranoid, some dice.
The strength of pass-phrases is that random words are easier to remember than random characters. They tend to be faster to type as well.
For example, something like "inert purple dog flowers" or "social squash Augustus honey" is trivially easy to remember (your brain encodes it as speech), and quick to type, but is non-trivial to brute-force, roughly as challenging as a random 13-letter password like "gybtlbwvscimu" or a random 10-character password like "Uy^Y$*9qqQ".
With a decent passphrase generator (eg https://untroubled.org/pwgen/ppgen.cgi? ... Passphrase) that makes random selections from a dictionary, each word is worth about 15 bits, versus 4.7 bits for randomly selected letters, or 6.2 bits for randomly selected letters with capitalization, numbers, and symbols. You gain another 1 to 2 bits from your choice of delimiter: space, period, dash, nothing, etc. Most people find one word easier than three letters. Numbers and symbols are even less efficient. The worst is RaNdomIzEd cApitaLizAtiOn, which is laughably brutal on the human brain, roughly equivalent to memorizing binary. Words are the most efficient.
I prefer not to trust the passphrase generation tool. I typically mine the randomly generated passphrases for word combos that are memorable and easy to type, refreshing at least a dozen times, then I mix and match so that my passphrase isn't one of the strings generated by the site. Being imperfectly random only costs me a few bits of entropy, and in a pattern that's difficult for an attacker to codify. More importantly, it adds enough "client-side entropy" to mitigate the most realistic attack vectors involving the passphrase generation tool. A dump of all phrases ever generated isn't enough to attack me; they'd need the exact set of words I was presented on my 15 refreshes, correlated to the system I was securing, plus some brute-force effort. The tool I linked generates passwords on the server, which isn't ideal from a trust perspective, but even with a perfect tool, as long as it's web based, I'd rather not depend on trusting that the Javascript does exactly what I think it does. I'm not going to open the debugger every time I use it, and I'm too lazy to write my own tool.
Also, best to use a password manager so that you only need one or two actual passphrases.
[Edit: my first version of this post was a bit informal and folks thought I didn't know about dictionary attacks; I updated it to be clearer and to emphasize the importance of using actual randomness]
Upvote
24
(66
/
-42)
Thankfully Duo is now in Ciscos very capable hands. They've never cut corners on security.
Upvote
150
(151
/
-1)
The akey is needed to authenticate to the Duo service when it’s time to phone home to Duo and initiate second factor auth. So the interesting bits here are how exactly the akey was compromised, but more so... how the actor was able to use that akey to bypass the call to the Duo service. Was it configured not to prompt for MFA on every login?
Upvote
64
(64
/
0)
Agreed. The only thing that matters is total entropy under the system of encoding. Memorizing 16 random characters takes effort. Remembering it two weeks later is even harder. The equivalent entropy from a passphrase would be 5 to 8 words. By "brute-force", I was assuming a dictionary attack. Any good brute-force attacker will, at a minimum, bias their guesses towards probable distributions.
Upvote
-10
(11
/
-21)
Upvote
9
(12
/
-3)
The first step to never cutting corners on security is to not have any corners to cut in the first place!
Upvote
82
(83
/
-1)
Yes.
Fair enough. Essentially 2FA expects two things in order for you to login: 1) A password hash that matches the hash value in the password database. 2) A value that was generated by a 2FA server and sent to a device owned by the user.
This hack bypassed the second of those, by hacking the 2FA server. This hack unveiled the secret the server uses to generate 2FA values. With knowledge of this secret a hacker can generate their own 2FA keys without ever contacting the server again.
When a 2FA server is compromised, it's game over for 2FA. Basically period. The primary advantage for a hacker in generating their own values, is there is less chance of getting detected. By compromising the 2FA server once, there are fewer logs/sessions indicating the server was compromised. It helps them remain stealthy longer. So either way this attacker could have bypassed 2FA. But the method they used was clever for stealth reasons.
Upvote
122
(125
/
-3)
Don't worry they will never guess your next password is Winter2020
Upvote
50
(50
/
0)
Didn‘t the breach happen by uploading malicious code to their update server using FTP credentials (PW *****123) exposed on their very own public GitHub repo?
https://savebreach.com/solarwinds-crede ... ye-breach/
https://savebreach.com/solarwinds-crede ... ye-breach/
Upvote
21
(21
/
0)
Threat Intel is kind of like astronomy in that whoever finds a thing gets to name it. Because attribution is hard, it is usually not immediately obvious that incidents X, and Y, and Z are all one particular attacker... which means that it is easy for multiple names get attached to one attacker.
Upvote
57
(57
/
0)
Upvote
69
(73
/
-4)
Bank sites tend to have low length caps that cramp this style, unfortunately.
Upvote
74
(74
/
0)
A friend of mine's wife worked at a large company with a high profile CEO (donated lots of money and took sides on political issues). They got hacked by a foreign hacker group that was on the opposite sides of those issues, the hackers defaced their websites and stole data. They ended up purchasing, re-rack, rebuild everything. Nothing that was there before was trusted, not network infrastructure, not servers, not storage.
Upvote
89
(89
/
0)
Not that I have any actual idea. But Having used Duo in the past there is an ability to disable 2FA for a particular account. Presumably one would need to have that akey handy in order to update that setting
Upvote
4
(5
/
-1)
I dabbled in such techniques for a while (after reading Hannibal
), and my impressions were mixed. They seemed to help memorizing complex long sequences in a way that I could recall them hours or days later, which was neat. But when applying this in the long term to a multitude of infrequently used sequences (passwords and phone numbers), I found that for me even the most bizarre mnemonic image encodings would soon blur into a useless chaos. So the credit card number involved Einstein throwing a pizza at Princess Leia on a tricycle, but did Leia crash the tricycle into a shark, or an elephant - or was the elephant crash something from my dentist's phone number?Eventually I gave up on this. Memorizing the original sequences themselves seemed to work just as well/poorly in the long term, but without the need to spend time translating them into elaborate short stories. Might be just me, though. Do you use such methods for many passwords?
Edit: typo
Upvote
59
(61
/
-2)
Depends. The banks and brokers and 401K/Roth operators I deal with all accept at least 20 characters now (the default length of what Keepass generates). That's still too short to use a decent passphrase, true. But it's way better than they were even a few years ago. They all, also, offer 2FA, though so far they don't accept use of an authenticator app (like MS or Google) or a hardware key like a Yubi, at least for consumer accounts. And finding the 2FA setup options can be a hunting expedition in their options forest.
Getting a Yubikey for signing up with a paid Ars account was a good pitch. Unfortunately, I've found almost zero places that actually let me use it.
Upvote
40
(40
/
0)
I'm not seeing any there, there. Kevin B Thompson for instance has share sales from 11-9 to 11-21 going back to 2009 across multiple companies he's been an executive in. Most likely this is structured around blackout periods and tax schedules.
Upvote
28
(28
/
0)
It's not clear to me what's clever about this. "Steal the secret key" is the canonical, brute-force way to evade a security measure.
If they'd find a way to do it *without* access to the keys, it would be clever (and much more worrying.)
If they'd find a way to do it *without* access to the keys, it would be clever (and much more worrying.)
Upvote
9
(10
/
-1)
Not sure that hardware 2FA would help here. If they have access to master secrets it's like encryption where the bad guy knows all your keys.
At that point it's game over. Which is why the whole cloud thing is so insecure. You do not have control over keys so there is always at least the cloud provider who has full access to all your data.
Add to that SSO which promotes use of very short and simple passwords as you have to type it in bazillion times a day to login into your computer and it's not surprising that security is a joke in most places.
Edit about 20 min after the original post:
Now that I think about it. dedicated hardware on both ends might work for 2FA as there is no way to remotely extract secrets out of the hardware. This might also work for some types of encryption. But if your entire system is compromised it's hard to defend anything even with dedicated hardware backing.
Upvote
10
(12
/
-2)
Best to be round then!
The first step to never cutting corners on security is to not have any corners to cut in the first place!
Upvote
5
(7
/
-2)
As for secure passwords, I subscribe to the "take a song or rhyme, and use the first letters from each word in it, and add a couple of special chars in - say every 5th position". I find it makes it trivially easy for me to create 24-32 length totally random passwords that are very easy to recall.
Upvote
-7
(6
/
-13)
I dabbled in such techniques for a while (after reading Hannibal
Eventually I gave up on this. Memorizing the original sequences themselves seemed to work just as well/poorly in the long term, but without the need to spend time translating them into elaborate short stories. Might be just me, though. Do you use such methods for many passwords?
Edit: typo
I have 6 memorized passwords. Password manager handles the 600 or so others. The way my memory works connects music to events, so I connect music to passwords. Then it's just a matter of calling up the right song, and that triggers the memory of the password. It could be related to the song - lyrics, but usually not. It's usually something I heard or did when listening to the song. Sometimes its almost nonsense - a combination of things I saw on that trip when that song was being played. Always 20+ alphanumeric. Now, I do sometimes have to search for the song, but that usually only takes a moment. Changing the password is a matter of changing the song.
So I have 6 songs in me.
4 of the 6 are either the password manager or ways to recover the password manager in an emergency (part of our evacuation plan is the ability to recreate everything from a new system using only my memory). The other 2 are logins that I use with such frequency that running to the password manager becomes inconvenient.
Everything else is a unique random 30 character alphanumeric + symbols by default, dialing back when a system tells me it's too long. Also makes it easy to find those less secure systems. I've replaced services a few times when it said nothing longer than 12 characters. No, sorry, that doesn't fly. Having your passwords in a database is critical. Find bad passwords, duplicates, notices when sites get compromised. I change at least one password a month, usually around one a week.
Upvote
15
(16
/
-1)
This is how ApplePay works. The private keys are in your device, not exposed to the OS. And the transaction times out after a reasonably short period of time. Assuming there are no flaws in the encryption algorithm, you either need to physically secure the originating device, or you need to brute force it faster than the transaction times out. Good luck with that.
This is why Apple operates they way they do. Your iPhone (iPad, Watch, etc) is a unique hardware key with local biometrics, and you can build out a lot when you have over a billion such devices in circulation. One of the best aspects of it is that it's pretty impervious to phishing. Not only do I not know the private key, I couldn't give it to you if I wanted to. At best I could hand you my device, but I can't leak my credentials remotely.
Upvote
34
(34
/
0)
Because there are so many songs on the planet and no way whatsoever to find out what kind of music you like.
Anything that is easy for humans to remember is easy to brute force. Especially in today's hyper surveillance world.
The only reasonably secure systems are hardware backed where human memory is not involved.
Of course, if you ship all your data to a third party it's game over from the start.
Upvote
-9
(3
/
-12)
Yea, Apple does some things very well but then they force icloud without encryption and insist on being in control of all keys which makes the security a bit of a joke. Trusting a corporation not to sell you out is even more ridiculous than flat earthers.
Upvote
11
(14
/
-3)
If you use an existing rhyme, it's not random. You would have to use a random generator to produce the song / rhyme, that's going to negate most of the advantage of your technique. I'm sure it's better than nothing though.
Upvote
8
(8
/
0)
Who said anything about only music I like? And yes, there is a LOT of music and rhymes on the planet. Combined with the fact you can use any verse or part of the song or rhyme, it means you have close to limitless possibilities. What kind of argument is that?
As I said above you can pick any verse or starting point in a song or rhyme. It might not be mathematically random, but it gives damn close to infinite permutations. And certainly using your own works too. As long as it's stuck in your head for good then you're golden on remembering, and it's as safe as any reasonably memorizable password will ever be. Also, remember some additional randomness is generated by adding symbols (since those would be hard to add based on the rhyme).
Upvote
3
(5
/
-2)
All good in theory. Practise has shown that anything that humans are capable of remembering is easy to brute force. Especially as "systems" like yours get leaked out and can be easily programmed in to crackers.
Ars had a very good article on password cracking some years ago and it included things like "systems" which were collected from password leaks, people describing them and so on.
Upvote
19
(20
/
-1)